CVE-2011-1484

CWE-2647 documents5 sources

Severity

6.8MEDIUM

EPSS

1.2%

top 21.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Seam 2 Framework Redhat Jboss Enterprise Application Platform Redhat Jboss Enterprise SOA Platform

Timeline

PublishedJul 27

Latest updateMay 17

Description

jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶NVDredhat/jboss_enterprise_application_platform4.3.0, 5.1.0+1

▶NVDredhat/jboss_enterprise_soa_platform4.3.0, 5.1.0+1

▶NVDredhat/jboss_seam_2_framework2.2.2+9

🔴Vulnerability Details

GHSA

GHSA-x438-vrwx-gvfx: jboss-seam↗2022-05-17

▶

CVEList

CVE-2011-1484: jboss-seam↗2011-07-27

▶

📋Vendor Advisories

Red Hat

JBoss Seam EL interpolation in exception handling↗2011-07-18

▶

Red Hat

JBoss Seam privilege escalation caused by EL interpolation in FacesMessages↗2011-04-20

▶

💬Community

Bugzilla

CVE-2011-2196 JBoss Seam EL interpolation in exception handling↗2011-06-10

▶

Bugzilla

CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages↗2011-03-31

▶